Link to this headingRouters

Port 3890 Exploit:
https://github.com/Lyrebirds/sagemcom-fast-3890-exploit

Port 7230 Exploit:
https://github.com/Lyrebirds/technicolor-tc7230-exploit

Link to this headingPublic Exploits

Hacking Routers
Extensively Adaptable Exploits and Tools for Encroaching on Router Security
juniper-pulse-flaw
Cisco Smart Install Exploitation Tool
SAP Vulnerabilities
VxWorks’ TCP/IP stack (IPnet)
Pulse Connect Secure - CVE-2019-11510

Link to this headingMIPS

MIPS uses two separate caches. One for Code and the other for Data. This makes shellcode exploitation weird. This can be fixed by calling sleep before the shellcode is executed. Also on ARM.

Source

Link to this headingGetting Information

Check the Bootlog for interesting information including

  • Flash Chip Used
    • Used to find the size of the Chip
  • Kernel Boot location
  • Memory Map

Boot Log:

U-Boot 1.1.3 (Dec 9 2015 - 14:00:36) SoC:MediaTek MT7620 DRAM: Memory Testing..65536K OK. is 64 MB relocate_code Pointer at: 83fb0000 enable ephy clock...done. rf reg 29 = 5 SSC disabled. ****************************** Software System Reset Occurred ****************************** spi_wait_nsec: 29 spi device id: ef 40 17 0 0 (40170000) Flash: W25Q64BV *** Warning - bad CRC, using default environment _______________________________________________________________ | ____ _ ____ | | | _ \ __ _ _ __ __| | ___ _ __ __ _| __ ) _____ __ | | | |_) / _` | '_ \ / _` |/ _ \| '__/ _` | _ \ / _ \ \/ / | | | __/ (_| | | | | (_| | (_) | | | (_| | |_) | (_) > < | | |_| \__,_|_| |_|\__,_|\___/|_| \__,_|____/ \___/_/\_\ | | | | Ralink/MTK SDK Plantform | | Copyright 2005-2013 | | Board:ZBT WR8305RT | ===============System Info================== ASIC 7620_MP (Port5<->None) DRAM component: 512 Mbits DDR, width 16 DRAM bus: 16 bit Flash component: SPI Flash CPU Speed: 580 MHZ RAM Size:64 Mbytes Build Date:Dec 9 2015 Time:14:00:36 ============================================ GSW VLAN:LLLW GPIO Init: UARTF_SHARE_MODE:GPIO I2C_GPIO_MODE:GPIO init gpio20! GPIO_MODE_REG:0x1a311d ReadyLED Bit:0x1 Please choose the operation: 1: Load system code to SDRAM via TFTP. 2: Load system code then write to Flash via TFTP. 3: Boot system code via Flash (default). 4: Entr boot command line interface. 7: Load Boot Loader code then write to Flash via Serial. 9: Load Boot Loader code then write to Flash via TFTP. 0 3: System Boot system code via Flash. Press Reset button enter upgrade mode! ## Booting image at bc050000 ... Image Name: MIPS OpenWrt Linux-3.18.36 Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 1138908 Bytes = 1.1 MB Load Address: 80000000 Entry Point: 80000000 Verifying Checksum ... OK Uncompressing Kernel Image ... OK No initrd ## Transferring control to Linux (at address 80000000) ... ## Giving linux memsize in MB, 64 Starting kernel ... [ 0.000000] Linux version 3.18.36 (joefitz@linuxps) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r49404) ) #12 Mon Sep 12 21:47:16 PDT 2016 [ 0.000000] Board has DDR2 [ 0.000000] Analog PMU set to hw control [ 0.000000] Digital PMU set to hw control [ 0.000000] SoC Type: MediaTek MT7620N ver:2 eco:6 [ 0.000000] bootconsole [early0] enabled [ 0.000000] CPU0 revision is: 00019650 (MIPS 24KEc) [ 0.000000] MIPS: machine is ZBT WR8305RT [ 0.000000] Determined physical RAM map: [ 0.000000] memory: 04000000 @ 00000000 (usable) [ 0.000000] Initrd not found or empty - disabling initrd [ 0.000000] Zone ranges: [ 0.000000] Normal [mem 0x00000000-0x03ffffff] [ 0.000000] Movable zone start for each node [ 0.000000] Early memory node ranges [ 0.000000] node 0: [mem 0x00000000-0x03ffffff] [ 0.000000] Initmem setup node 0 [mem 0x00000000-0x03ffffff] [ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. [ 0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes [ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256 [ 0.000000] Kernel command line: console=ttyS0,115200 rootfstype=squashfs,jffs2 [ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes) [ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes) [ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes) [ 0.000000] Writing ErrCtl register=00056700 [ 0.000000] Readback ErrCtl register=00056700 [ 0.000000] Memory: 61372K/65536K available (2515K kernel code, 124K rwdata, 516K rodata, 164K init, 186K bss, 4164K reserved) [ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 [ 0.000000] NR_IRQS:256 [ 0.000000] CPU Clock: 580MHz [ 0.000000] systick: running - mult: 214748, shift: 32 [ 0.000000] Calibrating delay loop... 385.84 BogoMIPS (lpj=1929216) [ 0.060000] pid_max: default: 32768 minimum: 301 [ 0.060000] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes) [ 0.070000] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes) [ 0.070000] pinctrl core: initialized pinctrl subsystem [ 0.080000] NET: Registered protocol family 16 [ 0.100000] rt2880_gpio 10000600.gpio: registering 24 gpios [ 0.100000] rt2880_gpio 10000600.gpio: registering 24 irq handlers [ 0.110000] rt2880_gpio 10000638.gpio: registering 16 gpios [ 0.110000] rt2880_gpio 10000638.gpio: registering 16 irq handlers [ 0.120000] rt2880_gpio 10000688.gpio: registering 1 gpios [ 0.120000] rt2880_gpio 10000688.gpio: registering 1 irq handlers [ 0.130000] Switched to clocksource systick [ 0.130000] NET: Registered protocol family 2 [ 0.140000] TCP established hash table entries: 1024 (order: 0, 4096 bytes) [ 0.140000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes) [ 0.150000] TCP: Hash tables configured (established 1024 bind 1024) [ 0.150000] TCP: reno registered [ 0.160000] UDP hash table entries: 256 (order: 0, 4096 bytes) [ 0.160000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes) [ 0.170000] NET: Registered protocol family 1 [ 0.170000] rt-timer 10000100.timer: maximum frequency is 2441Hz [ 0.180000] futex hash table entries: 256 (order: -1, 3072 bytes) [ 0.200000] squashfs: version 4.0 (2009/01/31) Phillip Lougher [ 0.200000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc. [ 0.210000] msgmni has been set to 119 [ 0.230000] io scheduler noop registered [ 0.230000] io scheduler deadline registered (default) [ 0.230000] ralink-usb-phy usbphy: invalid resource [ 0.240000] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled [ 0.250000] console [ttyS0] disabled [ 0.250000] 10000c00.uartlite: ttyS0 at MMIO 0x10000c00 (irq = 20, base_baud = 2500000) is a 16550A [ 0.260000] console [ttyS0] enabled [ 0.260000] console [ttyS0] enabled [ 0.270000] bootconsole [early0] disabled [ 0.270000] bootconsole [early0] disabled [ 0.280000] m25p80 spi32766.0: found s25fl064k, expected mx25l6405d [ 0.290000] m25p80 spi32766.0: s25fl064k (8192 Kbytes) [ 0.290000] 4 ofpart partitions found on MTD device spi32766.0 [ 0.300000] Creating 4 MTD partitions on "spi32766.0": [ 0.300000] 0x000000000000-0x000000030000 : "u-boot" [ 0.310000] 0x000000030000-0x000000040000 : "u-boot-env" [ 0.320000] 0x000000040000-0x000000050000 : "factory" [ 0.320000] 0x000000050000-0x000000800000 : "firmware" [ 0.390000] 2 uimage-fw partitions found on MTD device firmware [ 0.390000] 0x000000050000-0x00000016611c : "kernel" [ 0.400000] 0x00000016611c-0x000000800000 : "rootfs" [ 0.400000] mtd: device 5 (rootfs) set to be root filesystem [ 0.410000] 1 squashfs-split partitions found on MTD device rootfs [ 0.420000] 0x000000340000-0x000000800000 : "rootfs_data" [ 0.430000] ralink_soc_eth 10100000.ethernet: loaded mt7620 driver [ 0.430000] ralink_soc_eth 10100000.ethernet eth0: ralink at 0xb0100000, irq 5 [ 0.440000] rt2880_wdt 10000120.watchdog: Initialized [ 0.450000] TCP: cubic registered [ 0.450000] NET: Registered protocol family 17 [ 0.450000] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this. [ 0.470000] 8021q: 802.1Q VLAN Support v1.8 [ 0.490000] VFS: Mounted root (squashfs filesystem) readonly on device 31:5. [ 0.500000] Freeing unused kernel memory: 164K (80317000 - 80340000) [ 3.000000] init: Console is alive [ 3.000000] init: - watchdog - [ 5.300000] usbcore: registered new interface driver usbfs [ 5.300000] usbcore: registered new interface driver hub [ 5.310000] usbcore: registered new device driver usb [ 5.320000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver [ 5.330000] ehci-platform: EHCI generic platform driver [ 5.340000] phy phy-usbphy.0: remote usb device wakeup disabled [ 5.350000] phy phy-usbphy.0: UTMI 16bit 30MHz [ 5.350000] ehci-platform 101c0000.ehci: EHCI Host Controller [ 5.360000] ehci-platform 101c0000.ehci: new USB bus registered, assigned bus number 1 [ 5.370000] ehci-platform 101c0000.ehci: irq 26, io mem 0x101c0000 [ 5.390000] ehci-platform 101c0000.ehci: USB 2.0 started, EHCI 1.00 [ 5.390000] hub 1-0:1.0: USB hub found [ 5.400000] hub 1-0:1.0: 1 port detected [ 5.400000] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver [ 5.410000] ohci-platform: OHCI generic platform driver [ 5.420000] ohci-platform 101c1000.ohci: Generic Platform OHCI controller [ 5.420000] ohci-platform 101c1000.ohci: new USB bus registered, assigned bus number 2 [ 5.430000] ohci-platform 101c1000.ohci: irq 26, io mem 0x101c1000 [ 5.500000] hub 2-0:1.0: USB hub found [ 5.500000] hub 2-0:1.0: 1 port detected [ 6.000000] init: - preinit - [ 6.630000] 8021q: adding VLAN 0 to HW filter on device eth0 [ 6.680000] random: mktemp urandom read with 10 bits of entropy available Press the [] key and hit [enter] to enter failsafe mode Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level [ 8.050000] jffs2: notice: (301) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found. [ 8.070000] mount_root: switching to jffs2 overlay [ 8.110000] procd: - early - [ 8.110000] procd: - watchdog - [ 9.050000] procd: - ubus - [ 10.070000] procd: - init - Please press Enter to activate this console. [ 10.830000] NET: Registered protocol family 10 [ 10.840000] ip6_tables: (C) 2000-2006 Netfilter Core Team [ 10.860000] Loading modules backported from Linux version v4.4-rc5-1913-gc8fdf68 [ 10.870000] Backport generated by backports.git backports-20151218-0-g2f58d9d [ 10.880000] ip_tables: (C) 2000-2006 Netfilter Core Team [ 10.900000] nf_conntrack version 0.5.0 (961 buckets, 3844 max) [ 10.940000] xt_time: kernel timezone is -0000 [ 11.030000] PPP generic driver version 2.4.2 [ 11.040000] NET: Registered protocol family 24 [ 11.080000] ieee80211 phy0: rt2x00_set_rt: Info - RT chipset 5390, rev 0500 detected [ 11.090000] ieee80211 phy0: rt2x00_set_rf: Info - RF chipset 7620 detected [ 17.230000] 8021q: adding VLAN 0 to HW filter on device eth0 [ 17.250000] device eth0.1 entered promiscuous mode [ 17.250000] device eth0 entered promiscuous mode [ 17.270000] br-lan: port 1(eth0.1) entered forwarding state [ 17.270000] br-lan: port 1(eth0.1) entered forwarding state [ 19.270000] br-lan: port 1(eth0.1) entered forwarding state

Get File System Data:

root@OpenWrt:~# cat /proc/mtd dev: size erasesize name mtd0: 00030000 00010000 "u-boot" mtd1: 00010000 00010000 "u-boot-env" mtd2: 00010000 00010000 "factory" mtd3: 007b0000 00010000 "firmware" mtd4: 0011611c 00010000 "kernel" mtd5: 00699ee4 00010000 "rootfs" mtd6: 004c0000 00010000 "rootfs_data" root@OpenWrt:~# df -h Filesystem Size Used Available Use% Mounted on rootfs 4.8M 276.0K 4.5M 6% / /dev/root 2.0M 2.0M 0 100% /rom tmpfs 30.0M 56.0K 30.0M 0% /tmp /dev/mtdblock6 4.8M 276.0K 4.5M 6% /overlay overlayfs:/overlay 4.8M 276.0K 4.5M 6% / tmpfs 512.0K 0 512.0K 0% /dev root@OpenWrt:~# mount rootfs on / type rootfs (rw) /dev/root on /rom type squashfs (ro,relatime) proc on /proc type proc (rw,nosuid,nodev,noexec,noatime) sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,noatime) tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noatime) /dev/mtdblock6 on /overlay type jffs2 (rw,noatime) overlayfs:/overlay on / type overlay (rw,noatime,lowerdir=/,upperdir=/overlay/upper,workdir=/overlay/work) tmpfs on /dev type tmpfs (rw,nosuid,relatime,size=512k,mode=755) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,mode=600) debugfs on /sys/kernel/debug type debugfs (rw,noatime) root@OpenWrt:~# ls -al /dev/mtd* crw-r--r-- 1 root root 90, 0 Jan 1 1970 /dev/mtd0 crw-r--r-- 1 root root 90, 1 Jan 1 1970 /dev/mtd0ro crw-r--r-- 1 root root 90, 2 Jan 1 1970 /dev/mtd1 crw-r--r-- 1 root root 90, 3 Jan 1 1970 /dev/mtd1ro crw-r--r-- 1 root root 90, 4 Jan 1 1970 /dev/mtd2 crw-r--r-- 1 root root 90, 5 Jan 1 1970 /dev/mtd2ro crw-r--r-- 1 root root 90, 6 Jan 1 1970 /dev/mtd3 crw-r--r-- 1 root root 90, 7 Jan 1 1970 /dev/mtd3ro crw-r--r-- 1 root root 90, 8 Jan 1 1970 /dev/mtd4 crw-r--r-- 1 root root 90, 9 Jan 1 1970 /dev/mtd4ro crw-r--r-- 1 root root 90, 10 Jan 1 1970 /dev/mtd5 crw-r--r-- 1 root root 90, 11 Jan 1 1970 /dev/mtd5ro crw-r--r-- 1 root root 90, 12 Jan 1 1970 /dev/mtd6 crw-r--r-- 1 root root 90, 13 Jan 1 1970 /dev/mtd6ro brw-r--r-- 1 root root 31, 0 Jan 1 1970 /dev/mtdblock0 brw-r--r-- 1 root root 31, 1 Jan 1 1970 /dev/mtdblock1 brw-r--r-- 1 root root 31, 2 Jan 1 1970 /dev/mtdblock2 brw-r--r-- 1 root root 31, 3 Jan 1 1970 /dev/mtdblock3 brw-r--r-- 1 root root 31, 4 Jan 1 1970 /dev/mtdblock4 brw-r--r-- 1 root root 31, 5 Jan 1 1970 /dev/mtdblock5 brw-r--r-- 1 root root 31, 6 Jan 1 1970 /dev/mtdblock6

Link to this headingUboot Attacks

https://research.nccgroup.com/2020/07/22/depthcharge/

Link to this headingBoot into Uboot Mode

Press 4 to get into Uboot:

U-Boot 1.1.3 (Dec 9 2015 - 14:00:36) SoC:MediaTek MT7620 DRAM: Memory Testing..65536K OK. is 64 MB relocate_code Pointer at: 83fb0000 enable ephy clock...done. rf reg 29 = 5 SSC disabled. ****************************** Software System Reset Occurred ****************************** spi_wait_nsec: 29 spi device id: ef 40 17 0 0 (40170000) Flash: W25Q64BV *** Warning - bad CRC, using default environment _______________________________________________________________ | ____ _ ____ | | | _ \ __ _ _ __ __| | ___ _ __ __ _| __ ) _____ __ | | | |_) / _` | '_ \ / _` |/ _ \| '__/ _` | _ \ / _ \ \/ / | | | __/ (_| | | | | (_| | (_) | | | (_| | |_) | (_) > < | | |_| \__,_|_| |_|\__,_|\___/|_| \__,_|____/ \___/_/\_\ | | | | Ralink/MTK SDK Plantform | | Copyright 2005-2013 | | Board:ZBT WR8305RT | ===============System Info================== ASIC 7620_MP (Port5<->None) DRAM component: 512 Mbits DDR, width 16 DRAM bus: 16 bit Flash component: SPI Flash CPU Speed: 580 MHZ RAM Size:64 Mbytes Build Date:Dec 9 2015 Time:14:00:36 ============================================ GSW VLAN:LLLW GPIO Init: UARTF_SHARE_MODE:GPIO I2C_GPIO_MODE:GPIO init gpio20! GPIO_MODE_REG:0x1a311d ReadyLED Bit:0x1 Please choose the operation: 1: Load system code to SDRAM via TFTP. 2: Load system code then write to Flash via TFTP. 3: Boot system code via Flash (default). 4: Entr boot command line interface. 7: Load Boot Loader code then write to Flash via Serial. 9: Load Boot Loader code then write to Flash via TFTP. You choosed 4 0 4: System Enter Boot Command Line Interface. U-Boot 1.1.3 (Dec 9 2015 - 14:00:36) MT7620 #

Link to this headingUboot Memory Commands

sf command

  • Can be used to probe, read, wtire, erace, lock and unlock

Link to this headingModify Kernel Boot parameters

Get Kernel Boot Address:

[...] Press Reset button enter upgrade mode! ## Booting image at bc050000 ... Image Name: MIPS OpenWrt Linux-3.18.36 Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 1138908 Bytes = 1.1 MB Load Address: 80000000 Entry Point: 80000000 Verifying Checksum ... OK Uncompressing Kernel Image ... OK No initrd ## Transferring control to Linux (at address 80000000) ... ## Giving linux memsize in MB, 64 [...]

Change Kernel Boot Options:

MT7620 # setenv bootargs console=ttyS0,115200 rootfstype=squashfs,jffs2 1 single MT7620 # bootm bc050000

Cheking if New Boot Options are Set:

user@OpenWrt:~$ cat /proc/cmdline console=ttyS0,115200 rootfstype=squashfs,jffs2

Since this is not set to the correct setenv the boot options are hard coded into the kernel.

Link to this headingStart Failsafe Mode

Set with falilsafe=true in the Arguments

user@OpenWrt:~$ cat /lib/preinit/30_failsafe_wait #!/bin/sh # Copyright (C) 2006-2010 OpenWrt.org # Copyright (C) 2010 Vertical Communications fs_wait_for_key () { local timeout=$3 local timer local do_keypress local keypress_true="$(mktemp)" local keypress_wait="$(mktemp)" local keypress_sec="$(mktemp)" if [ -z "$keypress_wait" ]; then keypress_wait=/tmp/.keypress_wait touch $keypress_wait fi if [ -z "$keypress_true" ]; then keypress_true=/tmp/.keypress_true touch $keypress_true fi if [ -z "$keypress_sec" ]; then keypress_sec=/tmp/.keypress_sec touch $keypress_sec fi trap "echo 'true' >$keypress_true; lock -u $keypress_wait ; rm -f $keypress_wait" INT trap "echo 'true' >$keypress_true; lock -u $keypress_wait ; rm -f $keypress_wait" USR1 [ -n "$timeout" ] || timeout=1 [ $timeout -ge 1 ] || timeout=1 timer=$timeout lock $keypress_wait { while [ $timer -gt 0 ]; do echo "$timer" >$keypress_sec timer=$(($timer - 1)) sleep 1 done lock -u $keypress_wait rm -f $keypress_wait } & echo "Press the [$1] key and hit [enter] $2" echo "Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level" # if we're on the console we wait for input { while [ -r $keypress_wait ]; do timer="$(cat $keypress_sec)" [ -n "$timer" ] || timer=1 timer="${timer%%\ *}" [ $timer -ge 1 ] || timer=1 do_keypress="" { read -t "$timer" do_keypress case "$do_keypress" in $1) echo "true" >$keypress_true ;; 1 | 2 | 3 | 4) echo "$do_keypress" >/tmp/debug_level ;; *) continue; ;; esac lock -u $keypress_wait rm -f $keypress_wait } done } lock -w $keypress_wait keypressed=1 [ "$(cat $keypress_true)" = "true" ] && keypressed=0 rm -f $keypress_true rm -f $keypress_wait rm -f $keypress_sec return $keypressed } failsafe_wait() { FAILSAFE= grep -q 'failsafe=' /proc/cmdline && FAILSAFE=true && export FAILSAFE if [ "$FAILSAFE" != "true" ]; then pi_failsafe_net_message=true preinit_net_echo "Please press button now to enter failsafe" pi_failsafe_net_message=false fs_wait_for_key'to enter failsafe mode' $fs_failsafe_wait_timeout && FAILSAFE=true [ -f "/tmp/failsafe_button" ] && FAILSAFE=true && echo "- failsafe button "`cat /tmp/failsafe_button`" was pressed -" [ "$FAILSAFE" = "true" ] && export FAILSAFE && touch /tmp/failsafe fi }

Copy and paste the ascii Character:

# Cat shadow and crack file root@(none):/# cat /etc/shadow root:$1$NJi50Ceq$H2TXojQhmmD/lS.I41mSp1:0:0:99999:7::: root:$1$g1UlaVkd$ZNIs8OXZmUK.QQxY7IoAN/:0:0:99999:7::: daemon:*:0:0:99999:7::: ftp:*:0:0:99999:7::: network:*:0:0:99999:7::: nobody:*:0:0:99999:7::: root@(none):/# cat /etc/passwd root❌0:0:root:/root:/bin/ash user❌1000:1000:user:/home/user:/bin/ash daemon:*:1:1:daemon:/var:/bin/false ftp:*:55:55:ftp:/home/ftp:/bin/false network:*:101:101:network:/var:/bin/false nobody:*:65534:65534:nobody:/var:/bin/false

Link to this headingDump Flash Memory over Serial

Using md to hexdump memory:

MT7620 # md 0xbc000000 0x800000 bc050000: 56190527 d1c425c5 0285d757 dc601100 '..V.%..W.....`. bc050010: 00000080 00000080 44146a2e 03020505 .........j.D.... bc050020: 5350494d 65704f20 7472576e 6e694c20 MIPS OpenWrt Lin bc050030: 332d7875 2e38312e 00003633 00000000 ux-3.18.36...... bc050040: 8000006d 3385ec00 00000000 6f000000 m......3.......o bc050050: a3fffffd 50707fb7 71cda0fd c8db6e7a ......pP...qzn.. bc050060: a28c7a75 7573249e dcad593b 5a6dbcb1 uz...$su;Y....mZ bc050070: 42f3879e dec27823 331f7d35 cfa6026a ...B#x..5}.3j... bc050080: f58a34da e133a7a0 e1970fd1 a510c171 .4....3.....q... bc050090: 2646f598 82be5343 218d3a43 0a5f5f08 ..F&CS..C:.!.__. bc0500a0: 6770a520 6c35647c 18b9db33 818fb3a2 .pg|d5l3....... bc0500b0: 1afa0e21 11740474 13d7fd80 7188e196 !...t.t........q bc0500c0: fc056267 eaac3daa ae355791 98ed0ac0 gb...=...W5..... bc0500d0: 308fe3d2 538374c3 95ebd005 ab5ea0ad ...0.t.S......^. bc0500e0: 01b13c96 00a55ed2 e731a898 5d04ee15 .<...^....1....] bc0500f0: 60aee688 918f6548 ae118519 6591c4d3 ...`He.........e

Use the uart_mem_dump.py program to programmatically get data and fix errors that can happen with uart

Link to this headingDump Partitions over Netcat

Recieve Data:

bridings@lupin3:~/GDS/Labs/hardware >>> netcat -l -p 1234 > mtd0

Dump memory over using nc:

root@OpenWrt:~# cat /dev/mtd0 | nc 192.168.1.153 1234

Link to this headingDump Flash memory over TFTP

Start the TFTP Server with details in [TFTP](/Linux/Kernel/From Scratch.md#TFTP)

Write to the created file:

#Set the Varbales to point to the server setenv ipaddr 192.168.88.95 setenv serverip 192.168.88.4 setenv bootargs "console=ttyS0,115200 earlycon=uart8250,mmio,0x21c0500 root=/dev/ram0 rootwait rw" #Copy the initramfs and boot from it tftp 0x80000000 embedded-debian/board.itb setenv bootargs "$bootargs root=/dev/ram0 rootwait rw" bootm 0x80000000#standard

Link to this headingModifying File Systems

Link to this headingModifying a SquashFS partition

Find File:

>>> binwalk memory.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 94560 0x17160 U-Boot version string, "U-Boot 1.1.3 (Dec 9 2015 - 14:00:36)" 94904 0x172B8 HTML document header 95967 0x176DF HTML document footer 96090 0x1775A HTML document header 96294 0x17826 HTML document footer 96408 0x17898 HTML document header 96940 0x17AAC HTML document footer 97052 0x17B1C HTML document header 97497 0x17CD9 HTML document footer 98693 0x18185 Copyright string: "Copyright 2005-2013 |" 327680 0x50000 uImage header, header size: 64 bytes, header CRC: 0xC525C4D1, created: 2016-09-13 04:48:02, image size: 1138908 bytes, Data Address: 0x80000000, Entry Point: 0x80000000, data CRC: 0x2E6A1444, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.18.36" 327744 0x50040 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 3376620 bytes 1466652 0x16611C Squashfs filesystem, little endian, version 4.0, compression:xz, size: 1919250 bytes, 714 inodes, blocksize: 262144 bytes, created: 2016-09-13 04:47:23 3407872 0x340000 JFFS2 filesystem, little endian

Extract File system:

└──╼ $sudo unsquashfs _memory.bin.extracted/16611C.squashfs Parallel unsquashfs: Using 1 processor 653 inodes (657 blocks) to write [...] created 468 files created 61 directories created 0 symlinks created 0 devices created 0 fifos

Modify a File:

#Generate a password >>> mkpasswd -5 root $1$we1TxRD6$GBiFEgOlEreUU6QF..99H0 #Insert password as root password >>> cat ./etc/shadow root:$1$NJi50Ceq$H2TXojQhmmD/lS.I41mSp1:0:0:99999:7::: root:$1$g1UlaVkd$ZNIs8OXZmUK.QQxY7IoAN/:0:0:99999:7::: root:$1$we1TxRD6$GBiFEgOlEreUU6QF..99H0:0:0:99999:7::: daemon:*:0:0:99999:7::: ftp:*:0:0:99999:7::: network:*:0:0:99999:7::: nobody:*:0:0:99999:7::: #Change user uid to root >>> cat ./etc/passwd root❌0:0:root:/root:/bin/ash user❌0:1000:user:/home/user:/bin/ash daemon:*:1:1:daemon:/var:/bin/false ftp:*:55:55:ftp:/home/ftp:/bin/false network:*:101:101:network:/var:/bin/false nobody:*:65534:65534:nobody:/var:/bin/false

Repackage the FS:

#Find the block size of the partition using binwalk >>> binwalk memory.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- [...] 1466652 0x16611C Squashfs filesystem, little endian, version 4.0, compression:xz, size: 1919250 bytes, 714 inodes, blocksize: 262144 bytes, created: 2016-09-13 04:47:23 3407872 0x340000 JFFS2 filesystem, little endian # >>> mksquashfs squashfs-root myfs -comp xz -always-use-fragments -nopad -noappend -root-owned -b 262144 Parallel mksquashfs: Using 1 processor Creating 4.0 filesystem on myfs, block size 262144. [==========================================================================================================================|] 472/472 100% Exportable Squashfs 4.0 filesystem, xz compressed, data block size 262144 compressed data, compressed metadata, compressed fragments, compressed xattrs, compressed ids duplicates are removed Filesystem size 1892.16 Kbytes (1.85 Mbytes) 33.05% of uncompressed filesystem size (5725.16 Kbytes) Inode table size 5326 bytes (5.20 Kbytes) 22.27% of uncompressed inode table size (23913 bytes) Directory table size 6588 bytes (6.43 Kbytes) 46.63% of uncompressed directory table size (14127 bytes) Number of duplicate files found 3 Number of inodes 713 Number of files 468 Number of fragments 19 Number of symbolic links 184 Number of device nodes 0 Number of fifo nodes 0 Number of socket nodes 0 Number of directories 61 Number of ids (unique uids + gids) 1 Number of uids 1 root (0) Number of gids 1 root (0)

Repack the Flash File:

#Find Offset in the flash file >>> binwalk memory.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 94560 0x17160 U-Boot version string, "U-Boot 1.1.3 (Dec 9 2015 - 14:00:36)" 94904 0x172B8 HTML document header 95967 0x176DF HTML document footer 96090 0x1775A HTML document header 96294 0x17826 HTML document footer 96408 0x17898 HTML document header 96940 0x17AAC HTML document footer 97052 0x17B1C HTML document header 97497 0x17CD9 HTML document footer 98693 0x18185 Copyright string: "Copyright 2005-2013 |" 327680 0x50000 uImage header, header size: 64 bytes, header CRC: 0xC525C4D1, created: 2016-09-13 04:48:02, image size: 1138908 bytes, Data Address: 0x80000000, Entry Point: 0x80000000, data CRC: 0x2E6A1444, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.18.36" 327744 0x50040 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 3376620 bytes 1466652 0x16611C Squashfs filesystem, little endian, version 4.0, compression:xz, size: 1919250 bytes, 714 inodes, blocksize: 262144 bytes, created: 2016-09-13 04:47:23 3407872 0x340000 JFFS2 filesystem, little endian # Skip argument is the input file # Seek argument is the output file >>> dd if=_memory.bin.extracted/myfs of=memory.bin bs=1 seek=1466652 conv=notrunc 1926461 bytes (1.9 MB, 1.8 MiB) copied, 160 s, 12.0 kB/s 1937576+0 records in 1937576+0 records out 1937576 bytes (1.9 MB, 1.8 MiB) copied, 160.921 s, 12.0 kB/s #Check the new updated file >>> binwalk memory.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 94560 0x17160 U-Boot version string, "U-Boot 1.1.3 (Dec 9 2015 - 14:00:36)" 94904 0x172B8 HTML document header 95967 0x176DF HTML document footer 96090 0x1775A HTML document header 96294 0x17826 HTML document footer 96408 0x17898 HTML document header 96940 0x17AAC HTML document footer 97052 0x17B1C HTML document header 97497 0x17CD9 HTML document footer 98693 0x18185 Copyright string: "Copyright 2005-2013 |" 327680 0x50000 uImage header, header size: 64 bytes, header CRC: 0xC525C4D1, created: 2016-09-13 04:48:02, image size: 1138908 bytes, Data Address: 0x80000000, Entry Point: 0x80000000, data CRC: 0x2E6A1444, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.18.36" 327744 0x50040 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 3376620 bytes 1466652 0x16611C Squashfs filesystem, little endian, version 4.0, compression:xz, size: 1937576 bytes, 713 inodes, blocksize: 262144 bytes, created: 2021-07-06 18:36:47 3407872 0x340000 JFFS2 filesystem, little endian

Link to this headingModifying the Kernel

  1. Extract with binwalk
  2. Load in ida and patch the kernel
  3. Recompress
  4. Load into firmware image

Recompress Kernel:

#Get the special version of lzma binary >>> ../lzma LZMA 4.65 : Igor Pavlov : Public domain : 2009-02-03 Usage: LZMA <e|d> inputFile outputFile [<switches>...] e: encode file d: decode file b: Benchmark <Switches> -a{N}: set compression mode - [0, 1], default: 1 (max) -d{N}: set dictionary size - [12, 30], default: 23 (8MB) -fb{N}: set number of fast bytes - [5, 273], default: 128 -mc{N}: set number of cycles for match finder -lc{N}: set number of literal context bits - [0, 8], default: 3 -lp{N}: set number of literal pos bits - [0, 4], default: 0 -pb{N}: set number of pos bits - [0, 4], default: 2 -mf{MF_ID}: set Match Finder: [bt2, bt3, bt4, hc4], default: bt4 -mt{N}: set number of CPU threads -eos: write End Of Stream marker -si: read data from stdin -so: write data to stdout >>> ../lzma e 50040 -lc1 -lp2 -pb2 -mc100 50040.lzma LZMA 4.65 : Igor Pavlov : Public domain : 2009-02-03

Script to reduce File Size to fit:

#!/bin/bash # File to consider INPUTFILE=$1 OUTPUTFILE="${INPUTFILE}.lzma" #MAXSIZE=$((0x16611C - 0x50040)) MAXSIZE=$2 for i in {1..100}; do echo "Trying $i"; ../lzma e $INPUTFILE -lc1 -lp2 -pb2 -mc$i $OUTPUTFILE #Check size # Get file size FILESIZE=$(stat -c%s "$OUTPUTFILE") # Checkpoint echo "Size of $INPUTFILE = $FILESIZE bytes." echo "Max size is $MAXSIZE bytes." # The following doesn't work if [ $FILESIZE -gt $MAXSIZE)) ]; then echo "nope" else echo "fine" break fi done

Modifying the uImage Header:

#Copy Old Header >>> dd if=../origional_memory.bin of=50000 bs=1 skip=$((0x50000)) count=$((0x40)) 64+0 records in 64+0 records out 64 bytes copied, 0.0210238 s, 3.0 kB/s #Calculate the new Data Checksum of the compressed kernel └──╼ $crc32 50040.lzma 7fde2b33 #Remove the Data and Header Checksum >>> dd if=/dev/zero of=50000_nocrc bs=1 seek=4 count=4 conv=notrunc >>> dd if=/dev/zero of=50000_nocrc bs=1 seek=24 count=4 conv=notrunc >>> xxd 50000_nocrc 00000000: 2705 1956 0000 0000 57d7 8502 0011 60dc '..V....W.....`. 00000010: 8000 0000 8000 0000 0000 0000 0505 0203 ................ 00000020: 4d49 5053 204f 7065 6e57 7274 204c 696e MIPS OpenWrt Lin 00000030: 7578 2d33 2e31 382e 3336 0000 0000 0000 ux-3.18.36...... # Add crc Data Header >>> xxd 50000_nocrc 00000000: 2705 1956 0000 0000 57d7 8502 0011 60dc '..V....W.....`. 00000010: 8000 0000 8000 0000 7fde 2b33 0505 0203 ..........+3.... 00000020: 4d49 5053 204f 7065 6e57 7274 204c 696e MIPS OpenWrt Lin 00000030: 7578 2d33 2e31 382e 3336 0000 0000 0000 ux-3.18.36...... #Update the Image length >>> ls -al 50040.lzma -rw-r--r-- 1 502 dialout 1138893 Jul 8 15:04 50040.lzma >>> xxd 50000_newcrc 00000000: 2705 1956 0000 0000 57d7 8502 0011 60cd '..V....W.....`. 00000010: 8000 0000 8000 0000 7fde 2b33 0505 0203 ..........+3.... 00000020: 4d49 5053 204f 7065 6e57 7274 204c 696e MIPS OpenWrt Lin 00000030: 7578 2d33 2e31 382e 3336 0000 0000 0000 ux-3.18.36...... #Calculate the Header crc >>> crc32 50000_newcrc 7a3ceeb3 #Add the CRC Header >>> xxd 50000_newcrc 00000000: 2705 1956 7a3c eeb3 57d7 8502 0011 60cd '..Vz<..W.....`. 00000010: 8000 0000 8000 0000 7fde 2b33 0505 0203 ..........+3.... 00000020: 4d49 5053 204f 7065 6e57 7274 204c 696e MIPS OpenWrt Lin 00000030: 7578 2d33 2e31 382e 3336 0000 0000 0000 ux-3.18.36......

Add uImage Header to file:

#Check File for all of the >>> binwalk _memory.bin.extracted/50000_newcrc DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 uImage header, header size: 64 bytes, header CRC: 0x7A3CEEB3, created: 2016-09-13 04:48:02, image size: 1138893 bytes, Data Address: 0x80000000, Entry Point: 0x80000000, data CRC: 0x7FDE2B33, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.18.36" #Merge New Kernel with Old Header >>> cat 50000_newcrc 50040.lzma > mod_uimage.bin

Merge the image into the firmware:

#Clear data before write >>> dd if=/dev/zero of=memory.bin bs=1 seek=$((0x50000)) count=$((0x16611C - 0x50000)) conv=notrunc 1133173 bytes (1.1 MB, 1.1 MiB) copied, 99 s, 11.4 kB/s 1138972+0 records in 1138972+0 records out 1138972 bytes (1.1 MB, 1.1 MiB) copied, 99.501 s, 11.4 kB/s #Write new kernel >>> dd if=_memory.bin.extracted/mod_uimage.bin of=memory.bin bs=1 seek=$((0x50000)) conv=notrunc